Ejemplo n.º 1
0
 def test_no_registered_client_metadata_is_handled(self):
     config = ProviderConfiguration(
         provider_metadata=self.PROVIDER_METADATA,
         client_registration_info=ClientRegistrationInfo(),
     )
     facade = PyoidcFacade(config, self.REDIRECT_URI)
     assert not facade._client.registration_response
Ejemplo n.º 2
0
 def test_is_registered(self):
     unregistered = ProviderConfiguration(provider_metadata=self.PROVIDER_METADATA,
                                          client_registration_info=ClientRegistrationInfo())
     registered = ProviderConfiguration(provider_metadata=self.PROVIDER_METADATA,
                                        client_metadata=self.CLIENT_METADATA)
     assert PyoidcFacade(unregistered, self.REDIRECT_URI).is_registered() is False
     assert PyoidcFacade(registered, self.REDIRECT_URI).is_registered() is True
Ejemplo n.º 3
0
    def test_should_register_dynamic_client_if_client_registration_info_is_given(
            self):
        registration_endpoint = self.PROVIDER_BASEURL + '/register'
        responses.add(responses.POST,
                      registration_endpoint,
                      json={
                          'client_id': 'client1',
                          'client_secret': 'secret1'
                      })

        provider_config = ProviderConfiguration(
            provider_metadata=self.provider_metadata(
                registration_endpoint=registration_endpoint),
            client_registration_info=ClientRegistrationInfo())

        extra_args = {'extra_args': 'should be passed'}
        redirect_uris = ['https://client.example.com/redirect']
        provider_config.register_client(redirect_uris, extra_args)
        assert provider_config._client_metadata['client_id'] == 'client1'
        assert provider_config._client_metadata['client_secret'] == 'secret1'
        assert provider_config._client_metadata[
            'redirect_uris'] == redirect_uris

        expected_registration_request = {'redirect_uris': redirect_uris}
        expected_registration_request.update(extra_args)
        assert json.loads(responses.calls[0].request.body.decode(
            'utf-8')) == expected_registration_request
Ejemplo n.º 4
0
    def test_register(self):
        registration_endpoint = self.PROVIDER_BASEURL + '/register'
        redirect_uris = ['https://client.example.com/redirect']
        post_logout_redirect_uris = ['https://client.example.com/logout']
        client_registration_response = {
            'client_id': 'client1',
            'client_secret': 'secret1',
            'client_name': 'Test Client',
            'redirect_uris': redirect_uris,
            'post_logout_redirect_uris': post_logout_redirect_uris
        }
        responses.add(responses.POST,
                      registration_endpoint,
                      json=client_registration_response)

        provider_metadata = self.PROVIDER_METADATA.copy(
            registration_endpoint=registration_endpoint)
        unregistered = ProviderConfiguration(
            provider_metadata=provider_metadata,
            client_registration_info=ClientRegistrationInfo(
                redirect_uris=redirect_uris,
                post_logout_redirect_uris=post_logout_redirect_uris))
        facade = PyoidcFacade(unregistered, REDIRECT_URI)
        facade.register()
        assert facade.is_registered() is True
Ejemplo n.º 5
0
    def test_should_register_dynamic_client_if_client_registration_info_is_given(
            self):
        registration_endpoint = self.PROVIDER_BASEURL + '/register'
        redirect_uris = [
            'https://client.example.com/redirect',
            'https://client.example.com/redirect2'
        ]
        post_logout_redirect_uris = ['https://client.example.com/logout']
        responses.add(responses.POST,
                      registration_endpoint,
                      json={
                          'client_id': 'client1',
                          'client_secret': 'secret1',
                          'redirect_uris': redirect_uris,
                          'post_logout_redirect_uris':
                          post_logout_redirect_uris
                      })

        provider_config = ProviderConfiguration(
            provider_metadata=self.provider_metadata(
                registration_endpoint=registration_endpoint),
            client_registration_info=ClientRegistrationInfo(
                redirect_uris=redirect_uris,
                post_logout_redirect_uris=post_logout_redirect_uris))

        provider_config.register_client(Client(CLIENT_AUTHN_METHOD))
        assert provider_config._client_metadata['client_id'] == 'client1'
        assert provider_config._client_metadata['client_secret'] == 'secret1'
        assert provider_config._client_metadata[
            'redirect_uris'] == redirect_uris
        assert provider_config._client_metadata[
            'post_logout_redirect_uris'] == post_logout_redirect_uris
Ejemplo n.º 6
0
    def test_should_not_fetch_provider_metadata_if_given(self):
        provider_metadata = self.provider_metadata()
        provider_config = ProviderConfiguration(
            provider_metadata=provider_metadata,
            client_registration_info=ClientRegistrationInfo())

        provider_config.ensure_provider_metadata()
        assert provider_config._provider_metadata == provider_metadata
Ejemplo n.º 7
0
    def test_missing_provider_metadata_raises_exception(self):
        with pytest.raises(ValueError) as exc_info:
            ProviderConfiguration(
                client_registration_info=ClientRegistrationInfo())

        exc_message = str(exc_info.value)
        assert 'issuer' in exc_message
        assert 'provider_metadata' in exc_message
Ejemplo n.º 8
0
 def test_should_raise_exception_for_non_registered_client_when_missing_registration_endpoint(
         self):
     provider_config = ProviderConfiguration(
         provider_metadata=self.provider_metadata(),
         client_registration_info=ClientRegistrationInfo())
     with pytest.raises(ValueError) as exc_info:
         provider_config.register_client([])
     assert 'registration_endpoint' in str(exc_info.value)
Ejemplo n.º 9
0
 def test_should_raise_exception_for_non_registered_client_when_missing_registration_endpoint(
         self):
     provider_config = ProviderConfiguration(
         provider_metadata=self.provider_metadata(),
         client_registration_info=ClientRegistrationInfo())
     assert provider_config._provider_metadata[
         'registration_endpoint'] is None
     with pytest.raises(ValueError):
         provider_config.register_client(None)
Ejemplo n.º 10
0
    def test_register(self):
        registration_endpoint = self.PROVIDER_BASEURL + '/register'
        responses.add(responses.POST, registration_endpoint, json=self.CLIENT_METADATA.to_dict())

        provider_metadata = self.PROVIDER_METADATA.copy(registration_endpoint=registration_endpoint)
        unregistered = ProviderConfiguration(provider_metadata=provider_metadata,
                                             client_registration_info=ClientRegistrationInfo())
        facade = PyoidcFacade(unregistered, self.REDIRECT_URI)
        facade.register()
        assert facade.is_registered() is True
Ejemplo n.º 11
0
    def test_should_register_client_if_not_registered_before(
            self, post_logout_redirect_uris):
        registration_endpoint = self.PROVIDER_BASEURL + '/register'
        provider_metadata = ProviderMetadata(
            self.PROVIDER_BASEURL,
            self.PROVIDER_BASEURL + '/auth',
            self.PROVIDER_BASEURL + '/jwks',
            registration_endpoint=registration_endpoint)
        client_metadata = {}
        if post_logout_redirect_uris:
            client_metadata[
                'post_logout_redirect_uris'] = post_logout_redirect_uris
        provider_configurations = {
            self.PROVIDER_NAME:
            ProviderConfiguration(
                provider_metadata=provider_metadata,
                client_registration_info=ClientRegistrationInfo(
                    **client_metadata))
        }
        authn = OIDCAuthentication(provider_configurations)
        authn.init_app(self.app)

        # register logout view to force 'post_logout_redirect_uris' to be included in registration request
        logout_view_mock = self.get_view_mock()
        self.app.add_url_rule('/logout', view_func=logout_view_mock)
        authn.oidc_logout(logout_view_mock)

        responses.add(responses.POST,
                      registration_endpoint,
                      json={
                          'client_id': 'client1',
                          'client_secret': 'secret1'
                      })
        view_mock = self.get_view_mock()
        with self.app.test_request_context('/'):
            auth_redirect = authn.oidc_auth(self.PROVIDER_NAME)(view_mock)()

        self.assert_auth_redirect(auth_redirect)
        registration_request = json.loads(
            responses.calls[0].request.body.decode('utf-8'))
        with self.app.app_context():
            full_redirect_uri = flask.url_for(
                registration_request['redirect_uris'][0])
            registration_request['redirect_uris'] = full_redirect_uri

        expected_post_logout_redirect_uris = post_logout_redirect_uris if post_logout_redirect_uris else [
            'http://{}/logout'.format(self.CLIENT_DOMAIN)
        ]
        expected_registration_request = {
            'redirect_uris':
            'http://{}/redirect_uri'.format(self.CLIENT_DOMAIN),
            'post_logout_redirect_uris': expected_post_logout_redirect_uris
        }
        assert registration_request == expected_registration_request
Ejemplo n.º 12
0
    def test_register_client_should_register_dynamic_client_if_initial_access_token_present(
            self):

        registration_endpoint = self.PROVIDER_BASEURL + '/register'
        redirect_uris = [
            'https://client.example.com/redirect',
            'https://client.example.com/redirect2'
        ]
        post_logout_redirect_uris = ['https://client.example.com/logout']
        client_registration_response = {
            'client_id': 'client1',
            'client_secret': 'secret1',
            'client_name': 'Test Client',
            'redirect_uris': redirect_uris,
            'post_logout_redirect_uris': post_logout_redirect_uris,
            'registration_client_uri':
            'https://op.example.com/register/client1',
            'registration_access_token': 'registration_access_token1'
        }
        responses.add(responses.POST,
                      registration_endpoint,
                      json=client_registration_response)
        provider_config = ProviderConfiguration(
            provider_metadata=self.provider_metadata(
                registration_endpoint=registration_endpoint),
            client_registration_info=ClientRegistrationInfo(
                client_name='Test Client',
                redirect_uris=redirect_uris,
                post_logout_redirect_uris=post_logout_redirect_uris,
                registration_token='initial_access_token'))

        provider_config.register_client(Client(CLIENT_AUTHN_METHOD))

        assert provider_config._client_metadata['client_id'] == 'client1'
        assert provider_config._client_metadata['client_secret'] == 'secret1'
        assert provider_config._client_metadata['client_name'] == 'Test Client'
        assert provider_config._client_metadata[
            'registration_client_uri'] == 'https://op.example.com/register/client1'
        assert provider_config._client_metadata[
            'registration_access_token'] == 'registration_access_token1'
        assert provider_config._client_metadata[
            'redirect_uris'] == redirect_uris
        assert provider_config._client_metadata[
            'post_logout_redirect_uris'] == post_logout_redirect_uris
        assert responses.calls[0].request.headers['Authorization'] == \
               f"Bearer {base64.b64encode('initial_access_token'.encode()).decode()}"
Ejemplo n.º 13
0
    def test_register_client_should_register_client_even_if_post_logout_redirect_uris_missing(
            self):
        registration_endpoint = self.PROVIDER_BASEURL + '/register'
        redirect_uris = [
            'https://client.example.com/redirect',
            'https://client.example.com/redirect2'
        ]
        client_registration_response = {
            'client_id': 'client1',
            'client_secret': 'secret1',
            'client_name': 'Test Client',
            'redirect_uris': redirect_uris,
            'registration_client_uri':
            'https://op.example.com/register/client1',
            'registration_access_token': 'registration_access_token1'
        }
        responses.add(responses.POST,
                      registration_endpoint,
                      json=client_registration_response)
        provider_config = ProviderConfiguration(
            provider_metadata=self.provider_metadata(
                registration_endpoint=registration_endpoint),
            client_registration_info=ClientRegistrationInfo(
                client_name='Test Client',
                redirect_uris=redirect_uris,
                post_logout_redirect_uris=[],
                registration_token='initial_access_token'))

        provider_config.register_client(client=Client(CLIENT_AUTHN_METHOD))

        assert provider_config._client_metadata['client_id'] == 'client1'
        assert provider_config._client_metadata['client_secret'] == 'secret1'
        assert provider_config._client_metadata['client_name'] == 'Test Client'
        assert provider_config._client_metadata[
            'registration_client_uri'] == 'https://op.example.com/register/client1'
        assert provider_config._client_metadata[
            'registration_access_token'] == 'registration_access_token1'
        assert provider_config._client_metadata[
            'redirect_uris'] == redirect_uris
        assert provider_config._client_metadata.get(
            'post_logout_redirect_uris') is None
Ejemplo n.º 14
0
    def test_should_fetch_provider_metadata_if_not_given(self):
        provider_metadata = {
            'issuer': self.PROVIDER_BASEURL,
            'authorization_endpoint': self.PROVIDER_BASEURL + '/auth',
            'jwks_uri': self.PROVIDER_BASEURL + '/jwks'
        }
        responses.add(responses.GET,
                      self.PROVIDER_BASEURL +
                      '/.well-known/openid-configuration',
                      json=provider_metadata)

        provider_config = ProviderConfiguration(
            issuer=self.PROVIDER_BASEURL,
            client_registration_info=ClientRegistrationInfo())
        provider_config.ensure_provider_metadata()
        assert provider_config._provider_metadata[
            'issuer'] == self.PROVIDER_BASEURL
        assert provider_config._provider_metadata[
            'authorization_endpoint'] == self.PROVIDER_BASEURL + '/auth'
        assert provider_config._provider_metadata[
            'jwks_uri'] == self.PROVIDER_BASEURL + '/jwks'